The BirdFeeder

As I’ve been cutting my teeth in the PWK labs I’ve been working on doing things more efficiently, specifically to save time. I remember reading a chapter of POC|GTFO that specifically mentioned “building your own birdfeeder” that I particularly liked regarding building your own toolset. Some people ask, “why not just find your own tools”?

Well, in some cases you may save time finding a port scanner or some pre-baked tool from the Scripting Gallery, and that’s fine and all but if you want to get better, and you want to separate yourself from the garden variety script kiddie, building out some of your own tools is good mental floss. In my case, I wanted to knock out some of the recon process as I work on boxes and make my initial steps repeatable.

First I started with getting some nmap scripts together. Nothing special…yet. This is just a simple bash script to get it out of the way. Below is one of the earlier iterations of my recon script. While I used this on other labs, there aren’t any spoilers for any of the lab content.

#!/usr/bin/env bash
#Automates the recon work (nmap scans, nikto)
#the env argument has not been added yet
echo "########################################################";
echo "##         HTBRecon.sh  HackTheBox    @n1c_Fury       ##";
echo "## ./HTBRecon.sh <host> <folder> <env:HTB/PWK/OSCP>   ##";
echo "##       Use '-iL path/file' for multiple hosts       ##";
echo "##  Place this file in the folder you're working in   ##";
echo "########################################################";
date;
echo "[*] Creating working directory";
echo "[*] Files will be stored in the folder named $2";
echo "[*] This will take an hour or so";
mkdir $2;
cd $2;
echo "";
echo "[*] Scanning top 100 Ports";
nmap -Pn -F --top-ports 100 --open -v -v -oX quick.xml $1 1> /dev/null;
xsltproc quick.xml -o quick.html;
echo "[*] Shallow Scan";
nmap -Pn -A -O --open -oX shallow.xml $1 1> /dev/null;
xsltproc shallow.xml -o shallow.html;
echo "[*] Deep Scan (UDP, Versions, etc)";
nmap --open -sS -sV -T4 -A -v -v -Pn -oX deep.xml $1 1> /dev/null;
xsltproc deep.xml -o deep.html;
echo "[*] NMAP Vulnerabiltiy Scan";
nmap -Pn -T4 -A -v -v --script *vuln* -oX vulns.xml $1 1> /dev/null;
xsltproc vulns.xml -o vulns.html;
echo "[*] Running Enum Scripts...";
nmap -Pn -T4 -v -v --script *enum* -oX enum.xml $1 1> /dev/null;
xsltproc enum.xml -o enum.html;
echo "[*] Running HTTP Scripts...";
nmap -Pn -T4 -v -v --script *http* -oX web.xml $1 1> /dev/null;
xsltproc web.xml -o web.html;
echo "[!] Recon Completed. Happy Hunting!";
date

So the script above is pretty straightforward. Just a few nmap scans that output to an .xml file . The tool xsltproc is pretty cool. ThanksTinkerSec for sharing! It converts the .xml file into a nice neat HTML report…btw, Sparta creates similar reports if you do a little digging. This was helping me become a little more productive but I kept eating up a lot of time working on boxes…reading through the report…back and forth. Plus, if I worked on multiple boxes I would have a mess of individual reports to look through.

#!/usr/bin/env bash

RED=$'\e[1;31m' #Colors used for indicators
YLW=$'\e[1;33m'
GRN=$'\e[1;32m'
BLU=$'\e[1;34m'
WTE=$'\e[0m'
echo "";
echo "$YLW  ================================================";
echo "$BLU[*] 	Recon script  @n1c_Fury                  [*]";
echo "$BLU[*]	Usage: ./recon.sh <host> <folder>        [*]";
echo "$BLU[*]	Use '-iL path/file' for multiple hosts   [*]";
echo "$YLW  ================================================";
echo "";
date;
echo "$WTE[*] Target folder is $YLW[!]--> $2 <--[!]";	#This will create the .txt file for posting all of your notes
echo "$WTE[*] Notes are in ${BLU}$2-report.txt";
echo "$WTE[*] Scans: --> ${BLU}file:///mnt/hgfs/PWK/$2/$2-report.html";
echo "$WTE[*] Check the web page here: ${BLU}http://$1";
mkdir $2;
mkdir $2/nmap-output;
cd $2;
echo "$GRN[*] Creating Report Template..."; #Creates Notes file for recording notes.
echo "[+] IP/Host: $1 - $2" >> $2-report.txt;
echo "[+] TCP/UDP:" >> $2-report.txt;
echo "	  * TCP: " >> $2-report.txt;
echo " 	  * UDP: " >> $2-report.txt;
echo "[+] MisConfig (misc. configs)" >> $2-report.txt;
echo "[+] SSH Keys" >> $2-report.txt;
echo "[+] Whatweb" >> $2-report.txt;
echo "[+] Nikto" >> $2-report.txt;
echo "[+] Web Dirs (robots.txt, dirb,etc)" >> $2-report.txt;
echo "[+] OS Enumeration" >> $2-report.txt;
echo "[+] Users" >> $2-report.txt;
echo "[+] User Permissions" >> $2-report.txt;
echo "[+] Scheduled Tasks/Cron Jobs" >> $2-report.txt;
echo "[+] Shares" >> $2-report.txt;
echo "[+] Services" >> $2-report.txt;
echo "[+] Directory Permissions" >> $2-report.txt;
echo "[+] Running Processes" >> $2-report.txt;
echo "[+] System Drivers" >> $2-report.txt;
echo "[+] Network Connections" >> $2-report.txt;
echo "[+] Host File" >> $2-report.txt;
echo "[+] Useful Links" >> $2-report.txt;
echo "[+] Attack Surface" >> $2-report.txt;
echo "[+] Possible Vulnerabilties" >> $2-report.txt;
echo "[+] Effective Exploits" >> $2-report.txt;
echo "[+] Low Privilege Shell" >> $2-report.txt;
echo "[+] Root Shell" >> $2-report.txt;
echo "[+] proof.txt" >> $2-report.txt;
echo "[+] Hashes" >> $2-report.txt;
echo "[+] Screenshots:" >> $2-report.txt;
echo "$GRN[*] Creating HTML report file..."; 				#Creates HTML Report page
echo "<!DOCTYPE html>" > $2-report.html;
echo "<html>" >> $2-report.html;
echo "<title>[*] Host Report for $1 - $2 [*]</title> " >> $2-report.html;
echo "<body>" >> $2-report.html;
echo "<h2 align="center"><b>[*] $2 - $1 [*]</h></bold>" >> $2-report.html;
echo "<nav>" >> $2-report.html;
echo "<h3 align="center">" >> $2-report.html;
echo "<a href="nmap-output/top1k.html" target="iframe_a">Top 1000</a>" >> $2-report.html;
echo "<a href="nmap-output/allports.html" target="iframe_a">All Ports</a>" >> $2-report.html;
echo "<a href="nmap-output/service.html" target="iframe_a">Services</a>" >> $2-report.html;
echo "<a href="nmap-output/enum.html" target="iframe_a">Enum</a>" >> $2-report.html;
echo "<a href="nmap-output/vulns.html" target="iframe_a">Vulns</a>" >> $2-report.html;
echo "<a href="nmap-output/udp.html" target="iframe_a">UDP</a>" >> $2-report.html;
echo "<p align="left"><iframe height="800px" width="800px" name="iframe_a"></iframe></p>" >> $2-report.html;
echo "</h3>" >> $2-report.html;
echo "</nav>" >> $2-report.html;
echo "</body>" >> $2-report.html;
echo "</html>" >> $2-report.html;
echo "$YLW[*] Starting scans....";  		#Running nmap scans: Output is saved to nmap-output
echo "$WTE[1] Scanning top 1000 Ports";
nmap -Pn -F --top-ports 1000 --open -v -v -oA nmap-output/top1k $1 1> /dev/null;
sleep 5;
xsltproc nmap-output/top1k.xml -o nmap-output/top1k.html;

echo "$WTE[2] All ports, shallow scan";
nmap -Pn -p- -v -v --open -oA nmap-output/allports $1 1> /dev/null;
sleep 5;
xsltproc nmap-output/allports.xml -o nmap-output/allports.html;

echo "$WTE[3] Deep Scan (Service Versions) ";
nmap --open -O -sV -T4 -A -v -v -Pn -oA nmap-output/service $1 1> /dev/null;
sleep 5;
xsltproc nmap-output/service.xml -o nmap-output/service.html;

echo "$WTE[4] NMAP Vulnerabiltiy Scan";
nmap -Pn -T4 -A -v -v --script=*vuln* -oA nmap-output/vulns $1 1> /dev/null;
sleep 5;
xsltproc nmap-output/vulns.xml -o nmap-output/vulns.html;

echo "$WTE[5] Running Enum Scripts...";
nmap -Pn -T4 -v -v --script=*enum* -oA nmap-output/enum $1 1> /dev/null;
sleep 5;
xsltproc nmap-output/enum.xml -o nmap-output/enum.html;

echo "$WTE[6] Running UDP Scan...";
nmap -Pn -T4 -sS -sU -v -v -oA nmap-output/udp $1 1> /dev/null;
sleep 5;
xsltproc nmap-output/udp.xml -o nmap-output/udp.html;
echo "$YLW[!] Recon Completed.";
echo "$BLU ";
date;
echo "$RED |) --- Happy Hunting! ---> ";

Once again, laziness becomes a motivator to make a better recon script. I wanted to try a few more interesting things with Bash. Can I condense the multiple reports into one page? I also wanted to make the information gathering portion of my approach more convenient so what did I do? I ended up using the bash script to create an html and txt file. The html file has each of the reports linked to a single frame so I don’t have to navigate to other windows or tabs. As for the txt file, I had previously been using evernote/onenote/etc to work on the reports, but in between random crashes (during the exam…eeek), I wanted to use something as lightweight as possible, then once I’m finished with a box, I can prune it as needed.

So some of you are probably going to want to copy/paste my script, and that’s ok if you’re in a hurry but it would benefit you more to understand the thought process and motivation of building that birdfeeder. Besides, I’m sure a lot of you could do better, so I challenge you to build something better. Before I go, I made a complimentary video awhile ago where I briefly talked about the birdfeeder and read a small excerpt from POC|GTFO. The changes to my script since this video have been included on this page. Yeah I know, you’re probably salty you had to read all the way to the end to get to a video. Oh well, you needed to pass up time in that meeting or in bumper to bumper traffic right….Right!?

Run Towards The Hard Shit!